Danger: Remote Access Trojans

My client's PC had been experiencing strange symptoms that included slow performance, a CD-ROM tray that opened and closed at random, strange error messages, and inverted screen images. After I severed his Internet connection and followed my typical malicious software (malware)—hunting steps, I located the culprits: two Remote Access Trojans (RATs)—the infamous Cult of the Dead Cow's Back Orifice and the lesser-known The Thing. In this case, the malicious intruders were kids who seemed more interested in causing online problems and trading pornography than in doing real damage. If they'd been more sophisticated, they could have gathered confidential financial information from my client's computer and network. RATs are more dangerous than all other types of malicious code. To protect yourself, become familiar with the types of RATs, how they work, and how to detect and prevent these pests.

On This Page

Scurrying RATs

RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email attachments.

Most RATs come in client and server components. Intruders ultimately launch the server program on a victim's machine by binding the installing component to some other legitimate program. (Intruders can use a program called a binder to combine RATs with legitimate executables so that the RATs execute in the background while the legitimate applications run, leaving victims unaware of the scurrilous activities.) In many cases, intruders can customize the server program: set IP port numbers; define when the program starts, what it's called, how it hides, and whether it uses encryption; customize logon passwords; and determine when and how the program communicates. After defining the server executable's behavior, the intruder generates the program, then tricks the host machine's owner into running it.

The process can send the intruder (aka the originator) an email message announcing its latest takeover success or contact a hidden Internet chat channel with a broadcast of the exploited PC's IP address. (I've watched hundreds of victim PC addresses appear in an hour on these channels. I've also seen intruders collect thousands of compromised machine addresses and use them as online currency.) Alternatively, after the RAT server program is launched, it can communicate directly with an originating client program on the intruder's PC by using a predefined TCP port. No matter how the RAT parts establish connectivity, the intruder uses the client program to send commands to the server program.

RAT originators can explore a particular machine or send a broadcast command that instructs all the Trojans under their control to work in a symphonic effort to spread or do more damage. One predefined keyword can instruct all the exposed machines to format their hard disks or attack another host. Intruders often use RATs to take over as many machines as they can to coordinate a widespread distributed Denial of Service (DoS) attack (known as a zombie attack) against a popular host. When the traffic-flooded victim tries to track down the intruder, the trail stops at hundreds of innocent, compromised DSL and cable-modem users, and the intruder walks away undetected.

A Unique Danger

After you remove most malware programs, the damage is done and the worst of the crisis is over. Not so with RATs. Like their virus and worm cousins, RATs can delete and modify files, format hard disks, upload and download files, harass users, and drop off other malware. I often find compromised PCs that intruders used to store games and other cracking tools, taking up nearly all the user's available hard disk space. But RATs have two unique features—content capturing and remote control—that make them a higher order of particularly dangerous malware.

First, the ability to capture every screen and keystroke means that intruders can gather users' passwords, directory paths, drive mappings, medical records, bank-account and credit card information, and personal communications. If your PC has a microphone, RATs can capture your conversations. If you have a WebCam, many RATs can turn it on and capture video—a privacy violation without par in the malicious-code world. Everything you say and do around the PC can be recorded. Some RATs include a packet sniffer that captures and analyzes every packet that crosses the PC's network card. An intruder then can use the information a RAT captures to create future back doors, cause privacy violations, perform identity theft, and create financial problems—problems that might not be readily identifiable for months. Whether you can ever trace these problems back to the RAT is debatable.

Second, an unauthorized user's ability to remotely control the host PC is a powerful tool when wielded in the wrong hands. Remote users not only can manipulate PC resources but can pose as the PC's legitimate user and send email on behalf of the user, mischievously modify documents, and use the PC to attack other computers. A home-based user hired me 2 years ago to prove to E*TRADE that he didn't commit an obviously money-losing stock trade. E*TRADE tied his PC's IP address to the trade, and I found direct evidence of the disputed trade in his browser's cache. I also found signs of the SubSeven (aka Backdoor_G) RAT. I wasn't able to tie the RAT to the bad stock trade, but I could tell that the RAT had been active during the trading period. (For information about legal RATs, see the Web-exclusive sidebar "Legitimate RATs," at http://secadministrator.com, InstantDoc ID 26104.)

Types of RATs

The most popular RATs, such as Back Orifice or SubSeven, are all-in-one intruder toolshops that do everything—capture screen, sound, and video content. These Trojans are key loggers, remote controllers, FTP servers, HTTP servers, Telnet servers, and password finders. Intruders can configure the IP port the RATs listen on, how the RATs execute, and whether the RATs contact the originator by using email, Internet Relay Chat (IRC), or another chat mechanism. The more malicious RATs contain rogue mechanisms that hide the Trojans from prying eyes, encrypt communications, and contain professional-looking APIs so that other intruder developers can insert additional functionality. These RATs' aggressive functionality makes them larger—often 100KB to 300KB—and somewhat riskier for the intruder to install without anyone noticing.

Intruders intentionally keep limited-function Trojans small (10KB to 30KB) so that they can quickly activate the programs without being noticed. These Trojans often function as keystroke loggers, storing each keystroke the exploited user makes in a hidden file that the intruder can download remotely and analyze later. Other Trojans install themselves as FTP, Web, or chat servers and steal computing resources. Intruders use some small RATs solely to secure the hard-to-get initial remote access to a host so that they can later upload and install a larger, more powerful RAT at a time when they are less likely to get noticed.

Type the keywords Remote Access Trojan into any Internet search engine. When you do, you'll find hundreds of RATs—so many that most Trojan Web sites sort them alphabetically, with dozens to more than a hundred per alphabetic letter. Let's take a brief look at two of the most popular RATs: Back Orifice and SubSeven.

Back Orifice. The Cult of the Dead Cow created Back Orifice in August 1998. The program raised the bar for RATs by adding a programming API and enough new features to make legitimate programmers jealous. Back Orifice 2000 (BO2K), released under the GNU General Public License (GPL), has attempted to gain a following with legitimate users and compete against programs such as pcAnywhere. But its default stealth mode and obviously harmful intent mean the corporate world probably won't embrace it anytime soon. Using the BO2K Server Configuration utility, which Figure 1 shows, an intruder can configure a host of server options, including TCP or UDP, port number, encryption type, stealth activities (which works better on Windows 9x machines than on Windows NT machines), passwords, and plugins. Back Orifice has an impressive array of features that include keystroke logging, HTTP file browsing, registry editing, audio and video capture, password dumping, TCP/IP port redirection, message sending, remote reboot, remote lockup, packet encryption, and file compression. The program comes with a software development kit (SDK) that extends its functionality through plugins. The default bo_peep.dll plugin lets intruders control the remote machine's keyboard and mouse. In practice, the Back Orifice Trojan is unforgiving of mistyped commands; it crashes frequently in the hands of new users but glides unseen in the hands of experienced operators.

Figure 1: Back Orifice interface

SubSeven. Even more popular than Back Orifice, the SubSeven RAT is always near the top of antivirus-vendor infection statistics. This Trojan functions as a key logger, packet sniffer, port redirector, registry modifier, and microphone and WebCam-content recorder. Figure 2 shows a few SubSeven client commands and server-configuration choices. SubSeven contains many features to aggravate the exploited user: An intruder can remotely swap mouse buttons; turn the Caps Lock, Num Lock, and Scroll Lock off and on; disable the Ctl+Alt+Del key combination; log off the user; open and close the CD-ROM drive; turn the monitor off and on; invert the display; and shut down or reboot the computer. SubSeven uses ICQ, Internet Relay Chat (IRC), email, and even Common Gateway Interface (CGI) scripting to contact the originating intruder. The program can randomly change its server port and notify the intruder of the change. SubSeven has specific routines that capture AOL Instant Messenger (AIM), ICQ, RAS, and screen-saver passwords.

Detecting and Removing RATs

If a computer virus or email worm has ever infected your company, the company is a prime candidate for a RAT. Typical antivirus scanners are less likely to detect RATs than worms or viruses because of binders and intruder encryption routines. Also, RATs have the potential to cause significantly more damage than a worm or virus can cause. Finding and eradicating RATs should be a systems administrator's top priority.

The best anti-malware weapon is an up-to-date, proven antivirus scanner. Scanners detect most RATs and automate the removal process as much as possible. Many security administrators rely on Trojan-specific tools to detect and remove RATs, but you can't trust some of these products any more than you trust the Trojans themselves. Agnitum's Tauscan, however, is a top Trojan scanner that has proved its efficiency over the years.

A clear clue to RAT infection is an unexpected open IP port on the suspected machine, especially if the port number matches a known Trojan port. (See Web Table 1, http://www.secadministrator.com, InstantDoc ID 26103, for a list of these ports.) When you suspect that a PC has been infected, disconnect the PC from the Internet so that the remote intruder can't detect the security probe and initiate more damage. Using the Task List, close all running programs that connect to the Internet (e.g., email, Instant Messaging—IM—clients). Close all programs running from the system tray. Don't boot to safe mode because doing so often prevents the Trojan from loading into memory, thus defeating the purpose of the test.

Table 1 Common Remote Access Trojan IP Port Numbers

Trojan Name

Port

BO jammerkillahV

121

NukeNabber

139

Intruders Paradise

456

Stealth Spy

555

Phase0

555

NeTadmin

555

Satanz Backdoor

666

Attack FTP

666

AIMSpy

777

Der Spaeher

1000

Silencer

1001

WebEx

1001

Doly Trojan

1011

Doly Trojan

1015

Netspy

1033

Bla 1.1

1042

Psyber Stream Server

1170

Streaming Audio Trojan

1170

SoftWar

1207

Ultors Trojan

1234

SubSeven

1243

VooDoo Doll

1245

GabanBus

1245

NetBus

1245

Maverick's Matrix

1269

FTP99CMP

1492

Psyber Streaming Server

1509

Shiva Burka

1600

SpySender

1807

ShockRave

1981

BackDoor

1999

Transcout

1999

Der Spaeher

2000

Trojan Cow

2001

Pass Ripper

2023

Bugs

2115

Deep Throat

2140

The Invasor

2140

HVL Rat5

2283

Striker

2565

Wincrash2

2583

The Prayer

2716

Phineas

2801

Portal of Doom

3700

Total Eclypse

3791

WinCrash

4092

FileNail

4567

IcqTrojan

4950

Sockets de Troie

5000

Sockets de Troie 1.x

5001

OOTLT Cart

5011

NetMetro

5031

Firehotcker

5321

BackConstruction 1.2

5400

BladeRunner

5400

Blade Runner 1.x

5401

Blade Runner 2.x

5402

Illusion Mailer

5521

Xtcp

5550

RoboHack

5569

Wincrash

5742

The thing

6000

The thing

6400

Vampire

6669

Host Control

6669

DeepThroat

6670

DeepThroat

6771

DeltaSource

6883

Heep

6912

Indoctrination

6939

GateCrasher

6969

Priority

6969

Remote Grab

7000

NetMonitor

7300

NetMonitor 1.x

7301

NetMonitor 2.x

7306

NetMonitor 3.x

7307

NetMonitor 4.x

7308

Qaz

7597

ICQKiller

7789

InCommand

9400

Portal of Doom

9872

Netstat is a common IP-troubleshooting utility that comes with many OSs, including Windows. You can use it to display all the active and listening IP ports—UDP and TCP—on a local host. Open a DOS command prompt and type

to list all the open IP ports on the local computer. Investigate any unexpected ports. (This step assumes you have an understanding of IP ports and which port numbers particular programs use.)

Figure 3 shows the output of a sample Netstat test. The results reveal that a port that Back Orifice uses (port 31337) is active on my PC (ROGER). The client portion of the RAT is using port 1216 on the remote machine (ROGERLAP). In addition to looking for known Trojan ports, be highly suspicious of unknown FTP server processes (port 21) or Web servers (port 80). The Netstat command has a weakness, however: It tells you which IP ports are active, not which programs or files are initiating the activity. You need to use a port enumerator to find out which executable is creating which connection process. Winternals Software's TCPView Professional Edition is an excellent port enumerator. Tauscan can tie a program to a port connection as well as identify the Trojan. Windows XP's Netstat utility includes a new —o parameter that will show the process identifier (PID) of the program or service that's using the port. You can look up the PID in Task Manager to identify the specific program.

Figure 3: Netstat test results

If you don't have a port enumerator to easily show you the culprit, follow these steps: Look for unknown programs in startup areas such as the registry, .ini files, and the Startup folder. Then, boot the PC into safe mode if possible, and run the Netstat command to make sure the RAT isn't already loaded into memory. Then, one by one, execute any suspicious programs you found during your investigations, and rerun the Netstat command between each execution. If a program initiates a connection to the Internet, I give it even more scrutiny. Incidentally, during my hunts for Trojans, I've found and deleted many spyware programs that freeware programs installed. Research the programs you don't recognize, and delete the programs you're unsure about.

The Netstat command and a port enumerator are great ways to check one machine, but how do you check an entire network? Most Intrusion Detection Systems (IDSs) contain signatures that can detect common Trojan packets within legitimate network traffic. FTP and HTTP datagrams have verifiable structures, as do RAT packets. A properly configured and updated IDS can reliably detect even encrypted Back Orifice and SubSeven traffic. (See http://www.snort.org for information about popular open-source IDS alternatives that can look specifically for known RATs.)

The Morning After

After you detect and eradicate RATs, a larger question looms: Did the remote intruder collect information that could harm you in the future? Answering that question in the confines of this article is difficult, but consider the following information to determine risk. How long has the RAT been around? Although you can't always rely on file-creation dates, use Windows Explorer to see when the RAT executables were created or last accessed. If the executable was created in the distant past and the last access was recent, an intruder could have been using the RAT over a long period. What type of activity did the intruder perform on the compromised machine? Did the intruder access confidential databases, send email, or access other remote networks or directory shares? Did the intruder have administrator rights? Look on the compromised machine for clues, such as files and programs with access dates and times outside the end user's usual business hours. In low-risk environments, most end users eradicate the RAT and work hard to prevent the remote intruder from returning. Compromised users might want to consider changing all passwords and other potentially revealed information (e.g., credit card numbers, PIN).

In a strict security environment with little toleration of unknown risks, alert the administrator or network security author if necessary, search the rest of the network, change all passwords, and make a thorough secondary-risk analysis. Completely reinstall and reformat compromised machines.

RATS have the potential for significant damage. Their ability to remotely control PCs and capture screens, keystrokes, audio, and video makes them far more dangerous than typical viruses and worms. Educating yourself, your staff, and your end users about RATs and taking the appropriate defensive steps can significantly minimize your risk.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.